Because the Global Zone boots into a ramdisk, it's not obvious how to make the most common change requested in that "ephemeral" environment: changing root's password.

The /etc/shadow file is actually a file from the /usbkey filesystem on the persistent zpool, which is "lofs-mounted" over the file in the ramdisk-backed /etc filesystem. That mountpoint isn't writable by normal means (see below for details), so to change that, you'll want to make this change:

This change will persist after reboots, because you've copied it back to the /usbkey/shadow location. After a reboot, /etc/shadow will again be an un-writable lofs mountpoint.

Alternately, you can (carefully) edit the hash in the /usbkey/shadow file with a new one. The program /usr/lib/cryptpass will generate a valid hash:

... this method will require a reboot to take effect.

Lofs-mounted single files can, in fact, be written to, but due to the way they're mounted, you can't "create" them, so normal opens and writes (like from the vi editor, running the "passwd" command, or from shell ">" redirection) won't work.

This command will overwrite the lofs mounted /etc/shadow file with a (presumably edited) /tmp/shadow file, using the socat binary , which lets you specify the arguments to the open syscall: